markusg wrote:looks like this one is signed, in the signature details i see comodo

Both certs are invalid and non trustful. Injects payload dll into explorer.exe and from it in every starting process via CreateProcessW hook. Due to bugs in trojan explorer crashes every time when new program is launched by it.